Release Notes for the Cisco 1700 Series Routers for Cisco IOS Release 12.2(11)YU

July 28, 2003

These release notes describe new features and significant software components for the Cisco 1700 series routers that support Cisco IOS Release 12.2 T, up to and including Release 12.2(11)YU1. These release notes are updated as needed to describe new memory requirements, new features, new hardware support, software platform deferrals, microcode or modem code changes, related document changes, and any other important changes. Use these release notes with the Cross-Platform Release Notes for Cisco IOS Release 12.2 Tlocated on CCO and the Documentation CD.

For a list of the software caveats that apply to Release 12.2(11)YU1, see the "Caveats" and the online Caveats for Cisco IOS Release 12.2 T document. The caveats document is updated for every 12.2 T maintenance release and is located on Cisco Connection Online (CCO) and the Documentation CD.

This URL is subject to change without notice. If it changes, point your web browser to CCO, and click the following path:Cisco Product Documentation: Access Servers and Access Routers: Modular Access Routers: Cisco 1700 Series Routers: <platform_name>

Determining the Software Version

To determine the version of Cisco IOS software currently running on your Cisco 1700 series router, log in to the router and enter the show version EXEC command. The following sample output from the show version command indicates the version number on the second output line:

Upgrading to a New Software Release

Feature Set Tables

The Cisco IOS software is packaged in feature sets consisting of software images, depending on the platform. Each feature set contains a specific set of Cisco IOS features. Release 12.2(11)YU1 supports the same feature sets as Releases 12.2 and 12.2(8)T, but Release 12.2(11)YU1 includes new features supported by the Cisco 1700 series routers.

Caution Cisco IOS images with strong encryption (including, but not limited to, 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders can be denied or subject to delay due to United States government regulations. When applicable, the purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

•In—The number in the "In" column indicates the Cisco IOS release in which the feature was introduced. For example, "12.2(11)YU" means the feature was introduced in 12.2(11)YU. If a cell in this column is empty, the feature was included in a previous release or the initial base release.

Note These feature set tables only contain a selected list of features, which are cumulative for Release 12.2(11)nn early deployment releases only (nn identifies each early deployment release). The tables do not list all features in each image—additional features are listed in the Cross-Platform Release Notes for Cisco IOS Release 12.2 TandRelease 12.2 T Cisco IOS documentation.

Table 2 Feature List by Feature Set for Cisco 1710 Routers

Feature

In

Feature Set

IP/IPX/AT/
IBM/FW/IDS PLUS IPSEC 3DES

IP/FW/IDS PLUS IPSEC 3DES

IPSec

VPN Device Manager Support

12.2(11)YU

Yes

Yes

AES Support in Cisco IOS Software

12.2(11)YU

Yes

Yes

Look-Ahead Fragmentation

12.2(11)YU

Yes

Yes

IOS Firewall

SIP Signaling Support

12.2(11)YU

No

No

Websense URL Filtering

12.2(11)YU

Yes

Yes

N2H2 URL Filtering

12.2(11)YU

Yes

Yes

ICMP Stateful Inspection

12.2(11)YU

Yes

Yes

SSL Support for HTTP Authentication Proxy Sign-In

12.2(11)YU

Yes

Yes

IOS IDS

Signature Enhancement

12.2(11)YU

Yes

Yes

VoIP

MGCP Support for CallManager

12.2(11)YU

No

No

SNMP

CISCO-DSP-MGMT-MIB

12.2(11)YU

No

No

Table 3 Feature List by Feature Set for Cisco 1721 Routers

Feature

In

Feature Set

IP ADSL/IPX/ AT/IBM/FW/IDS PLUS IPSEC 56

IP ADSL/IPX/ AT/IBM/FW/
IDS IPSEC 3DES

IP/ADSL/ FW/IDS PLUS IPSEC 56

IP/ADSL PLUS IPSEC 56

IP/ADSL/ FW/IDS PLUS IPSEC 3DES

IPSec

VPN Device Manager Support

12.2(11)YU

Yes

Yes

Yes

Yes

Yes

AES Support in Cisco IOS Software

12.2(11)YU

No

Yes

No

No

Yes

Look-Ahead Fragmentation

12.2(11)YU

Yes

Yes

Yes

Yes

Yes

IOS Firewall

SIP Signaling Support

12.2(11)YU

No

No

No

No

No

Websense URL Filtering

12.2(11)YU

Yes

Yes

Yes

No

Yes

N2H2 URL Filtering

12.2(11)YU

Yes

Yes

Yes

No

Yes

ICMP Stateful Inspection

12.2(11)YU

Yes

Yes

Yes

No

Yes

SSL Support for HTTP Authentication Proxy Sign-In

12.2(11)YU

Yes

Yes

Yes

No

Yes

IOS IDS

Signature Enhancement

12.2(11)YU

Yes

Yes

Yes

No

Yes

VoIP

MGCP Support for CallManager

12.2(11)YU

No

No

No

No

No

SNMP

CISCO-DSP-MGMT-MIB

12.2(11)YU

No

No

No

No

No

Table 4, Part 1 Feature List by Feature Set for Cisco 1751 and 1760 Routers

Feature

In

Feature Set

IP ADSL/ IPX/AT/
IBM/FW/
IDS PLUS IPSEC 56

IP ADSL/IPX/
AT/IBM/
VOX/FW/
IDS IPSEC 3DES

IP/ADSL/
VOX/FW/
IDS PLUS IPSEC 56

IP/ADSL/VOX PLUS IPSEC 56

IP/ADSL/ VOX/FW/IDS PLUS IPSEC 3DES

IP/ADSL/
VOX PLUS IPSEC 3DES

IPSec

VPN Device Manager Support

12.2(11)YU

Yes

Yes

Yes

Yes

Yes

Yes

AES Support in Cisco IOS Software

12.2(11)YU

No

Yes

No

No

Yes

Yes

Look-Ahead Fragmentation

12.2(11)YU

Yes

Yes

Yes

Yes

Yes

Yes

IOS Firewall

SIP Signaling Support

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

Websense URL Filtering

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

N2H2 URL Filtering

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

ICMP Stateful Inspection

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

SSL Support for HTTP Authentication Proxy Sign-In

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

IOS IDS

Signature Enhancement

12.2(11)YU

Yes

Yes

Yes

No

Yes

Yes

VoIP

MGCP Support for CallManager

12.2(11)YU

No

Yes

No

Yes

Yes

Yes

SNMP

CISCO-DSP-MGMT-MIB

12.2(11)YU

No

Yes

Yes

Yes

Yes

Yes

Table 4, Part 2 Feature List by Feature Set for Cisco 1751 and 1760 Routers

Feature

In

Feature Set

IP/ADSL/
IPX/VOX/
FW/IDS PLUS

IP/ADSL/VOX/FW/
IDS PLUS

IP ADSL/IPX/
AT/IBM/
VOICE/FW/
IDS IPSEC 56

IP ADSL/IPX/ AT/IBM/
VOICE/FW/
IDS IPSEC 3DES

IPSec

VPN Device Manager Support

12.2(11)YU

No

No

Yes

Yes

AES Support in Cisco IOS Software

12.2(11)YU

No

No

No

Yes

Look-Ahead Fragmentation

12.2(11)YU

No

No

Yes

Yes

IOS Firewall

SIP Signaling Support

12.2(11)YU

Yes

Yes

Yes

Yes

Websense URL Filtering

12.2(11)YU

Yes

Yes

Yes

Yes

N2H2 URL Filtering

12.2(11)YU

Yes

Yes

Yes

Yes

ICMP Stateful Inspection

12.2(11)YU

Yes

Yes

Yes

Yes

SSL Support for HTTP Authentication Proxy Sign-In

12.2(11)YU

Yes

Yes

Yes

Yes

IOS IDS

Signature Enhancement

12.2(11)YU

Yes

Yes

Yes

Yes

VoIP

MGCP Support for CallManager

12.2(11)YU

Yes

Yes

Yes

Yes

SNMP

CISCO-DSP-MGMT-MIB

12.2(11)YU

Yes

Yes

Yes

Yes

New and Changed Information

The following sections list the new software features supported by the Cisco 1700 series routers for Release 12.2(11)YU.

New Software Features in Release 12.2(11)YU

The following sections describe the new software features supported by the Cisco 1700 series routers for Release 12.2(11)YU.

VPN Device Manager

Cisco VPN Device Manager (VDM) enables easier Virtual Private Network (VPN) setup and troubleshooting. VDM is used to manage and configure site-to-site VPNs on a single device from a web browser, and to view the effects of configuration changes in real time. VDM implements a wizards-based GUI that allows simplified VPN configuration of the device on which it resides. VDM also monitors general system statistics and router health information such as tunnel throughput and errors. The graphing capability allows comparison of such parameters as traffic volume, tunnel counts, and system utilization.

Advanced Encryption Standard

The Advanced Encryption Standard (AES) feature adds support for the new encryption standard AES, with cipher block chaining (CBC) mode, to IP Security (IPSec). AES is a privacy transform for IPSec and Internet Key Exchange (IKE) that has been developed to replace the Data Encryption Standard (DES). AES is designed to be more secure than DES: AES offers a larger key size, while ensuring that the only known approach to decrypt a message is for an intruder to try every possible key. AES has a variable key length—the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key.

Pre-fragmentation For IPSec VPNs

When a packet is nearly the size of the maximum transmission unit (MTU) of the outbound link of the encrypting router, and it is encapsulated with IPSec headers, it is likely to exceed the MTU of the outbound link. This causes packet fragmentation after encryption, which makes the decrypting router reassemble in the process path. Pre-fragmentation for IPSec VPNs increases the decrypting router's performance by enabling it to operate in the high-performance Cisco Express Forwarding (CEF) path instead of the process path.

Pre-fragmentation for IPSec VPNs enables an encrypting router to predetermine the encapsulated packet size from information available in transform sets, which are configured as part of the IPSec security association (SA). If it is predetermined that the packet will exceed the MTU of the output interface, the packet is fragmented before encryption. This avoids process-level reassembly before decryption and helps improve decryption performance and overall IPSec traffic throughput.

Firewall Support for SIP

Cisco IOS firewalls identify the source and destination IP address of a message and allow or block the passage of the message according to the configured firewall policy. Firewalls are configured with strict rules specifying static ports through which desirable data can pass while undesirable data is blocked. Messages sent with the Session Initiation Protocol (SIP) contain embedded transport addresses and dynamically allocated port numbers that the firewall cannot access. Embedded IP addresses disrupt signaling when NAT is turned on in conjunction with the IOS firewall. This feature adds support for SIP traffic traversing IOS firewalls on the Cisco 1700 platforms.

Firewall Websense URL Filtering

Websense is a third-party URL filtering software program that can filter Hypertext Transfer Protocol (HTTP) requests, based on destination host name, destination IP address, keywords and username. Websense maintains an URL database of more than 20 million sites organized into more than 60 categories and subcategories. This feature enables the Cisco IOS firewall on the Cisco 1700 router, to do URL filtering based on Websense server. When a Cisco 1700 router receives a HTTP request, it sends a query request to the Websense server with the requested URL. The Websense server does some necessary lookups for the URL and sends back a query response. Based on the Websense server's response, the router either blocks the HTTP request by redirecting the browser to a block page or proceeds with normal HTTP processing.

Firewall N2H2 Support

N2H2 is globally deployed third-party URL filtering software that can filter HTTP requests, based on destination host name, destination IP address and username and password. It relies on a sophisticated URL database of more than 15 million sites organized into more than 40 categories using both Internet technology and human review. This feature enables the Cisco IOS firewall on the Cisco 1700 router to do URL filtering based on N2H2 server. When a Cisco 1700 router receives a HTTP request, it will send a query request to N2H2 server with the requested URL. N2H2 server does some necessary lookups for the URL and sends back a query response. Based on N2H2 server's response, the router either blocks the HTTP request by redirecting the browser to a block page or proceed with normal HTTP processing.

Firewall Stateful Inspection of ICMP

The Internet Control Message Protocol (ICMP) is a network-layer Internet protocol that provides message packets reporting errors and other information regarding IP packet processing back to the source. This feature adds support for allowing ICMP traffic (ping and tracroute) originating from the Cisco IOS firewalls configured on a Cisco 1700 router, while denying other ICMP traffic.

Firewall Support of SSL Encrypted HTTP Authentication Proxy Sign-on

The Cisco IOS firewall on the Cisco 1700 router has an application called authentication proxy which allows network administrators to apply specific security policies on a per-user basis. When authentication proxy is enabled on the Cisco 1700 router, users can log in to the network or access the Internet via HTTP. This feature adds Secure Socket Layer (SSL)-based encryption support for the user ID and password exchange between the HTTP client and the Cisco 1700 router, when the Cisco IOS firewall authentication proxy is enabled.

Firewall Intrusion Detection System Signature Enhancements

In this release, several new Intrusion Detection System (IDS) signatures have been added to enhance the intrusion detection support, on the Cisco 1700 routers, against Tear Drop, Land Attack, Source Route Filter Option, Java, exe, activeX, Zip, and port scanning types of attacks.

MGCP Support for CallManager (IP-PBX)

The Media Gateway Control Protocol (MGCP) Support for CallManager (IP-PBX) feature enables the Cisco 1751 and Cisco 1760 IOS software to interact with Cisco Call Manager using MGCP. It provides MGCP-based supplementary services, failover, redundancy, and multicast music on hold (MoH) support for CallManager.

Limitations

The following sections describe limitations of the new software features supported by the Cisco 1700 series routers for Release 12.2(11)YU1.

Advanced Encryption Standard

Advanced Encryption Standard (AES) cannot encrypt IPSec and IKE traffic if an acceleration card is present and enabled. AES is available in software only.

Caveats

Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats, severity 2 caveats are less serious, and severity 3 caveats are the least serious of these three severity levels.

Caveats in Release 12.2 T are also in Release 12.2(11)YU1. For information on caveats in Cisco IOS Release 12.2 T, refer to the Caveats for Cisco IOS Release 12.2 T document. For information on caveats in Cisco IOS Release 12.2, refer to the Caveats for Cisco IOS Release 12.2 document. These documents list severity 1 and 2 caveats, and are located on CCO and the Documentation CD.

Note If you have an account with Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in toCisco.com and click Service & Support: Technical Assistance Center: Tool Index:Bug Toolkit. Another option is to go to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.

Resolved Caveats - Release 12.2(11)YU1

Miscellaneous

CSCdz71127

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

CSCea02355

Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. A rare sequence of crafted IPv4 packets sent directly to the device may cause the input interface to stop processing traffic once the input queue is full. No authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by default. Devices running only IP version 6 (IPv6) are not affected. A workaround is available.

Cisco has made software available, free of charge, to correct the problem.

CSCdz16242

CSCdz20150

CSCdz29619

IKE SA fails, and tunnels fail to come up after failover.

CSCdz06573

SIP: 200 OK of BYE does not pass through with inside static NAT configurations.

Related Documentation

The following sections describe the documentation available for the Cisco 1700 series routers. Typically, these documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on Cisco.com and the Documentation CD.

Use these release notes with the documents listed in the following sections:

•To reach product bulletins, field notices, and other release-specific documents, click this path:

Technical Documents: Product Bulletins

•To reach the Caveats for Cisco IOS Release 12.2and Caveats for Cisco IOS Release 12.2 Tdocuments, which contain caveats applicable to all platforms for all maintenance releases of Release 12.2, click this path:

Technical Documents: Cisco IOS Software: Release 12.2: Caveats

Note If you have an account with Cisco.com, you can also use the Bug Toolkit to find select caveats of any severity. To reach the Bug Toolkit, log in toCisco.com and click Service & Support: Technical Assistance Center: Tool Index:Bug Toolkit. Another option is to go to http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl.

Platform-Specific Documents

Hardware installation guides, configuration and command reference guides, and additional documents specific to Cisco 1700 series routers are available on Cisco.com and the Documentation CD at the following location:

Documentation CD-ROM

Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which is shipped with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unitor through an annual subscription.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from online tools by usingthe Cisco Technical Assistance Center (TAC) Web Site. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC Web Site.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information,networking solutions, services, programs, and resources at any time, from anywhere in the world.

Cisco.com is a highly integrated Internet application and a powerful, easy-to-use tool that provides a broad range of features and services to help you with these tasks:

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two levels of support are available: the Cisco TAC Web Site and the Cisco TAC Escalation Center.

Cisco TAC inquiries are categorized according to the urgency of the issue:

•Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects of business operations. No workaround is available.

•Priority level 1 (P1)—Your production network is down, and a critical impact to business operations will occur if service is not restored quickly. No workaround is available.

The Cisco TAC resource that you choose is based on the priority of the problem and the conditions of service contracts, when applicable.

Cisco TAC Web Site

You can use the Cisco TAC Web Site to resolve P3 and P4 issues yourself, saving both cost and time. The site provides around-the-clock access to online tools, knowledge bases, and software. To access the Cisco TAC Web Site, go to this URL:

All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC Web Site. The Cisco TAC Web Site requires a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:

Before calling, please check with your network operationscenter to determine the level of Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.